elasticSearch（三）报错：org.elasticsearch.ElasticsearchSecurityException:

【问题】启动elasticSearch报错：

org.elasticsearch.ElasticsearchSecurityException: invalid SSL configuration for xpack.security.transport.ssl - server ssl configuration requires a key and certificate, but these have not been configured; you must set either
查看日志如下提示：

【报错解析】：
xpack.security.transport.ssl的SSL配置无效——服务器SSL配置需要密钥和证书，但这些还没有配置;

【解决方案】：

elasticsearch配置用户名密码访问的配置

生成ssl的p12证书（要设置证书密码）：

创建CA证书
bin/elasticsearch-certutil ca

生成节点使用的证书
bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12

./bin/elasticsearch-certutil cert
–ca elastic-stack-ca.p12
–dns localhost
–ip 127.0.0.1,::1
–out config/certs/node-1.p12

–ca为CA证书路径名称
-dns为节点DNS
–ip为节点ip
–out为生成节点证书的路径和名称等，输出文件是PKCS＃12密钥库，其中包括节点证书，节点密钥和CA证书
或者使用命令 bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 效果跟上面这个一样，生成一个p12结尾的证书

提取出pem证书
// elastic-certificates.p12为上一步节点证书
openssl pkcs12 -in elastic-certificates.p12 -cacerts -nokeys -out elastic-ca.pem

openssl安装：
下载并安装perl，地址（http://www.activestate.com/activeperl/downloads/） ，进入perl安装目录的eg文件夹，执行“perl example.pl”若显示“Hello from ActivePerl!”，则说明Perl安装成功。
http://slproweb.com/products/Win32OpenSSL.html
可以参考：https://blog.csdn.net/houjixin/article/details/25806151

elasticsearch各节点为xpack.security.transport添加密码
bin/elasticsearch-keystore add xpack.security.transport.ssl.keystore.secure_password
bin/elasticsearch-keystore add xpack.security.transport.ssl.truststore.secure_password

创建用户密码（默认要为6个用户创建密码）：

bin/elasticsearch-setup-passwords interactive

elasticsearch.yml配置文件内容

#集群名字，目前是单节点
cluster.name: “test”
#节点名
node.name: “es_test”
#配置可进行数据交互的ip
network.host: 0.0.0.0
#允许http跨域访问，es_head插件必须开启
http.cors.enabled: true
http.cors.allow-origin: “*”
#数据存储路径
path.data: /usr/share/elasticsearch/dat
#日志存储路径
path.logs: /usr/share/elasticsearch/logs
#不锁定jvm内存
bootstrap.memory_lock: false
#备份库
path.repo: [“/usr/share/elasticsearch/data/backup”]
#主节点
cluster.initial_master_nodes: [“es_test”]
#es_head连接时读取用户名密码
http.cors.allow-headers:
Authorization,X-Requested-With,Content-Length,Content-Type
#开启密码认证
xpack.security.enabled: true
xpack.license.self_generated.type: basic
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path:【es的安装路径】/config/XXX/elastic-certificates.p12
Linux:----------> /usr/share/elasticsearch/config/certs/elastic-certificates.p12
xpack.security.transport.ssl.truststore.path:【es的安装路径】/config/XXX/elastic-certificates.p12
Linux:----------> /usr/share/elasticsearch/config/certs/elastic-certificates.p12

【Windows】问题：

failed to load SSL configuration [xpack.security.transport.ssl] - cannot read configured [PKCS12] keystore (as a truststore)
&&
rm]
[2022-11-07T14:09:56,518][ERROR][o.e.b.Elasticsearch ] [LAPTOP-U6I6PKVV] fatal exception while booting Elasticsearchorg.elasticsearch.ElasticsearchSecurityException: failed to load SSL configuration [xpack.security.transport.ssl] - cannot specify both [certificate] and [keystore.path]

设置文件路径的，只配置这两个：

xpack.security.transport.ssl.keystore.path:
xpack.security.transport.ssl.truststore.path: 
1
2

文件路径window环境下路径问题：默认是从D盘开始的，一定要设定在有效的elasticSearch文件安装的目录下的config文件夹下，才会识别成功：
例如：

xpack.security.transport.ssl.keystore.path: /AA/BB/CC/ElasticSearch/config/XX.p12
# 识别的路径为：
D:\AA\BB\CC\ElasticSearch\config\XX.p12
1
2
3

【Linux问题】：

【报错】：ElasticsearchSecurityException[failed to load SSL configuration [xpack.security.transport.ssl]]; nested: ElasticsearchException[failed to initialize SSL TrustManager - not permitted to read truststore file

【解决方法】：

配置elastic-certificates.p12的文件权限即可
chmod 777 elastic-certificates.p12

【Kibana连接ES集群】

elasticsearch.username: "kibana_system"
elasticsearch.password: "your_password"
1
2

请求地址说明：

设置账号密码后：

浏览器访问：

9200 ，有弹窗，可以直接输入账号密码

post访问：

http://elastic登入名:elastic密码@localhost:9200

es-head访问地址：

连接不带账号密码的地址：

http://localhost:9200/

连接带账号密码的地址：

http://127.0.0.1:9100/?auth_user=elastic登入名&auth_password=elastic密码

参考链接：
https://www.cnblogs.com/hahaha111122222/p/12053605.html
https://zhuanlan.zhihu.com/p/386532618
https://www.cnblogs.com/genqkun/p/15440025.html
https://www.cnblogs.com/dengbangpang/p/12953845.html